NIST Cybersecurity Framework version 1.1 - AWS Audit Manager

NIST Cybersecurity Framework version 1.1

To assist you with your audit preparation, AWS Audit Manager provides a prebuilt framework that structures and automates assessments for the NIST Cybersecurity Framework, based on AWS best practices.

Note

What is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the oldest physical science laboratories in the United States. The U.S. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic powers.

The United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the security, economy, and public safety and health of the United States at risk. Similar to financial and reputational risks, cybersecurity risk affects a company’s bottom line. It can drive up costs and affect revenue. It can harm an organization’s ability to innovate and to gain and maintain customers. Cybersecurity can be an important and amplifying component of an organization’s overall risk management.

The NIST Cybersecurity Framework (CSF) is supported by governments and industries worldwide as a recommended baseline for use by any organization, regardless of its sector or size. The NIST Cybersecurity Framework consists of three primary components: the framework core, the profiles, and the implementation tiers. The framework core contains desired cybersecurity activities and outcomes organized into 23 categories that cover the breadth of cybersecurity objectives for an organization. The profiles contain an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources using the desired outcomes of the framework core. The implementation tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework core.

Use AWS Audit Manager to support your NIST audit preparation

You can use the NIST Cybersecurity Framework version 1.1 framework in AWS Audit Manager to prepare for NIST audits. Audit Manager currently supports the framework core component by offering 56 automated controls and 52 manual controls. These controls are matched to 23 cybersecurity categories that are defined in the framework core. Audit Manager doesn't support the profile and implementation components in this framework. The controls that are offered by Audit Manager aren't intended to verify whether your systems are compliant with the NIST Cybersecurity Framework. Moreover, they can't guarantee that you will pass a NIST Cybersecurity assessment. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find NIST Cybersecurity Framework version 1.1 under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using this framework, see Creating an assessment. For instructions on how to customize this framework to support your specific requirements, see Customizing an existing framework and Customizing an existing control.